aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--epan/dissectors/packet-smb.c50
-rw-r--r--epan/dissectors/packet-windows-common.c54
2 files changed, 78 insertions, 26 deletions
diff --git a/epan/dissectors/packet-smb.c b/epan/dissectors/packet-smb.c
index 05ca312a71..2dd37dc0a3 100644
--- a/epan/dissectors/packet-smb.c
+++ b/epan/dissectors/packet-smb.c
@@ -5783,8 +5783,9 @@ dissect_locking_andx_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *
}
if (cmd != 0xff) { /* there is an andX command */
- if (andxoffset < offset)
+ if (andxoffset < offset) {
THROW(ReportedBoundsError);
+ }
dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
}
@@ -5875,8 +5876,9 @@ dissect_locking_andx_response(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree
END_OF_SMB
if (cmd != 0xff) { /* there is an andX command */
- if (andxoffset < offset)
+ if (andxoffset < offset) {
THROW(ReportedBoundsError);
+ }
dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
}
@@ -6080,8 +6082,9 @@ dissect_open_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, i
END_OF_SMB
if (cmd != 0xff) { /* there is an andX command */
- if (andxoffset < offset)
+ if (andxoffset < offset) {
THROW(ReportedBoundsError);
+ }
dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
}
@@ -6248,8 +6251,9 @@ dissect_open_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
END_OF_SMB
if (cmd != 0xff) { /* there is an andX command */
- if (andxoffset < offset)
+ if (andxoffset < offset) {
THROW(ReportedBoundsError);
+ }
dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
}
@@ -6408,8 +6412,9 @@ dissect_read_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, i
END_OF_SMB
if (cmd != 0xff) { /* there is an andX command */
- if (andxoffset < offset)
+ if (andxoffset < offset) {
THROW(ReportedBoundsError);
+ }
dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
}
@@ -6604,8 +6609,9 @@ dissect_read_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
END_OF_SMB
if (cmd != 0xff) { /* there is an andX command */
- if (andxoffset < offset)
+ if (andxoffset < offset) {
THROW(ReportedBoundsError);
+ }
dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
}
@@ -6838,8 +6844,9 @@ dissect_write_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
END_OF_SMB
if (cmd != 0xff) { /* there is an andX command */
- if (andxoffset < offset)
+ if (andxoffset < offset) {
THROW(ReportedBoundsError);
+ }
dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
}
@@ -6924,8 +6931,9 @@ dissect_write_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
END_OF_SMB
if (cmd != 0xff) { /* there is an andX command */
- if (andxoffset < offset)
+ if (andxoffset < offset) {
THROW(ReportedBoundsError);
+ }
dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
}
@@ -7329,8 +7337,9 @@ dissect_session_setup_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree
END_OF_SMB
if (cmd != 0xff) { /* there is an andX command */
- if (andxoffset < offset)
+ if (andxoffset < offset) {
THROW(ReportedBoundsError);
+ }
pinfo->private_data = si;
dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
}
@@ -7464,8 +7473,9 @@ dissect_session_setup_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tre
END_OF_SMB
if (cmd != 0xff) { /* there is an andX command */
- if (andxoffset < offset)
+ if (andxoffset < offset) {
THROW(ReportedBoundsError);
+ }
pinfo->private_data = si;
dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
}
@@ -7506,8 +7516,9 @@ dissect_empty_andx(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offs
END_OF_SMB
if (cmd != 0xff) { /* there is an andX command */
- if (andxoffset < offset)
+ if (andxoffset < offset) {
THROW(ReportedBoundsError);
+ }
dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
}
@@ -7705,8 +7716,9 @@ dissect_tree_connect_andx_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree
END_OF_SMB
if (cmd != 0xff) { /* there is an andX command */
- if (andxoffset < offset)
+ if (andxoffset < offset) {
THROW(ReportedBoundsError);
+ }
dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
}
@@ -7857,8 +7869,9 @@ dissect_tree_connect_andx_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree
END_OF_SMB
if (cmd != 0xff) { /* there is an andX command */
- if (andxoffset < offset)
+ if (andxoffset < offset) {
THROW(ReportedBoundsError);
+ }
dissect_smb_command(tvb, pinfo, andxoffset, smb_tree, cmd, FALSE);
}
@@ -8517,8 +8530,10 @@ dissect_nt_trans_data_request(tvbuff_t *tvb, packet_info *pinfo, int offset, pro
DISSECTOR_ASSERT(si);
if(parent_tree){
- tvb_ensure_bytes_exist(tvb, offset, bc);
- item = proto_tree_add_text(parent_tree, tvb, offset, bc,
+ guint32 bytes = 0;
+ bytes = tvb_length_remaining(tvb, offset);
+ /*tvb_ensure_bytes_exist(tvb, offset, bc);*/
+ item = proto_tree_add_text(parent_tree, tvb, offset, bytes,
"%s Data",
val_to_str_ext(ntd->subcmd, &nt_cmd_vals_ext, "Unknown NT transaction (%u)"));
tree = proto_item_add_subtree(item, ett_smb_nt_trans_data);
@@ -8564,6 +8579,11 @@ dissect_nt_trans_data_request(tvbuff_t *tvb, packet_info *pinfo, int offset, pro
offset = dissect_nt_sec_desc(
tvb, offset, pinfo, tree, NULL, TRUE, bc, ami);
+
+ if (offset < (old_offset + bc)) {
+ offset = old_offset + bc;
+ }
+
break;
case NT_TRANS_NOTIFY:
break;
diff --git a/epan/dissectors/packet-windows-common.c b/epan/dissectors/packet-windows-common.c
index be75070d37..7546b28550 100644
--- a/epan/dissectors/packet-windows-common.c
+++ b/epan/dissectors/packet-windows-common.c
@@ -2362,6 +2362,8 @@ dissect_nt_acl(tvbuff_t *tvb, int offset, packet_info *pinfo,
int pre_ace_offset;
guint16 revision;
guint32 num_aces;
+ guint32 total_aces;
+ gboolean missing_data = FALSE;
if(parent_tree){
item = proto_tree_add_text(parent_tree, tvb, offset, -1,
@@ -2407,15 +2409,27 @@ dissect_nt_acl(tvbuff_t *tvb, int offset, packet_info *pinfo,
tvb, offset, 4, num_aces);
offset += 4;
- while(num_aces--){
+ total_aces = num_aces;
+
+ while(num_aces-- && !missing_data){
pre_ace_offset = offset;
- offset = dissect_nt_v2_ace(tvb, offset, pinfo, tree, drep, ami);
- if (pre_ace_offset == offset) {
+
+ TRY {
+ offset = dissect_nt_v2_ace(tvb, offset, pinfo, tree, drep, ami);
+ if (pre_ace_offset == offset) {
/*
* Bogus ACE, with a length < 4.
*/
break;
+ }
}
+
+ CATCH2(BoundsError, ReportedBoundsError) {
+ proto_tree_add_text(tree, tvb, offset, 0, "ACE Extends beyond end of captured or reassembled buffer");
+ missing_data = TRUE;
+ }
+
+ ENDTRY;
}
}
@@ -2663,9 +2677,17 @@ dissect_nt_sec_desc(tvbuff_t *tvb, int offset, packet_info *pinfo,
*/
THROW(ReportedBoundsError);
}
- offset = dissect_nt_sid(tvb, item_offset, tree, "Owner", NULL, -1);
- if (offset > end_offset)
- end_offset = offset;
+ TRY{
+ offset = dissect_nt_sid(tvb, item_offset, tree, "Owner", NULL, -1);
+ if (offset > end_offset)
+ end_offset = offset;
+ }
+
+ CATCH2(BoundsError, ReportedBoundsError) {
+ proto_tree_add_text(tree, tvb, item_offset, 0, "Owner SID beyond end of captured or reassembled buffer");
+ }
+
+ ENDTRY;
}
/*group SID*/
@@ -2677,9 +2699,17 @@ dissect_nt_sec_desc(tvbuff_t *tvb, int offset, packet_info *pinfo,
*/
THROW(ReportedBoundsError);
}
- offset = dissect_nt_sid(tvb, item_offset, tree, "Group", NULL, -1);
- if (offset > end_offset)
- end_offset = offset;
+ TRY {
+ offset = dissect_nt_sid(tvb, item_offset, tree, "Group", NULL, -1);
+ if (offset > end_offset)
+ end_offset = offset;
+ }
+
+ CATCH2(BoundsError, ReportedBoundsError) {
+ proto_tree_add_text(tree, tvb, item_offset, 0, "Group SID beyond end of captured or reassembled buffer");
+ }
+
+ ENDTRY;
}
/* sacl */
@@ -2711,6 +2741,7 @@ dissect_nt_sec_desc(tvbuff_t *tvb, int offset, packet_info *pinfo,
if (offset > end_offset)
end_offset = offset;
}
+
break;
default:
@@ -2720,16 +2751,17 @@ dissect_nt_sec_desc(tvbuff_t *tvb, int offset, packet_info *pinfo,
if (len_supplied) {
/* Make sure the length isn't too large (so that we get an
overflow) */
- tvb_ensure_bytes_exist(tvb, start_offset, len);
+ /* tvb_ensure_bytes_exist(tvb, start_offset, len);*/
} else {
/* The length of the security descriptor is the difference
between the starting offset and the offset past the last
item in the descriptor. */
len = end_offset - start_offset;
}
+ len = end_offset - start_offset;
proto_item_set_len(item, len);
- return offset+len;
+ return offset;
}
/*
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-01 03:08:07 +0000